CVE-2025-55345

Unsafe symlink following in restricted workspace-write sandbox leads to RCE

CVSS 8.8 HIGHEPSS 0.8%CWE-61

In short

Codex CLI in workspace-write mode follows symbolic links without proper validation, allowing an attacker to overwrite arbitrary files on the system. If a malicious repository or directory tricks the tool into following a symlink, attackers can execute code with the privileges of the user running Codex.

Technical detail

A symlink-following vulnerability exists in Codex CLI's workspace-write sandbox where malicious symlinks within a repository or working directory are traversed without validation, bypassing directory restrictions. Pre-condition: user executes Codex CLI in workspace-write mode within attacker-controlled directory context. Impact: arbitrary file overwrite and potential RCE via code execution through modified files.

Summary generated and translated by AI from the official description.

Using Codex CLI in workspace-write mode inside a malicious context (repo, directory, etc) could lead to arbitrary file overwrite and potentially remote code execution due to symlinks being followed outside the allowed current working directory.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected products

@openai/codex

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/openai/codex/pull/1705 https://research.jfrog.com/vulnerabilities/codex-cli-symlink-arbitrary-file-overwrite-jfsa-2025-001378631/